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Chapter 1: About Getting Started 



Volume 2: Getting Started describes how to access the Blue Coat SG appliance using the 
CLI or Management Console, and provides basic configuration information that is 
required in every environment. 



About This Book 

This book deals with the following topics: 

"Licensing" on page 9 
"Accessing the SG Appliance" on page 19 
"Configuring Basic Settings" on page 27 
"Archive Configuration" on page 33 
"Adapters" on page 39 

"Software and Hardware Bridges" on page 49 
"Gateways" on page 61 
"DNS" on page 67 
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Appendix 



Document Conventions 

The following section lists the typographical and Command Line Interface (CLI) syntax 
conventions used in this manual. 



Table 1 -1 . Document Conventions 



Conventions 


Definition 


Italics 


The first use of a new or Blue Coat-proprietary term. 


Courier font 


Command line text that appears on your administrator workstation. 


Courier Italics 


A command line variable that is to be substituted with a literal name or 
value pertaining to the appropriate facet of your network system. 


Courier Boldface 


A Blue Coat literal to be entered as shown. 


u 


One of the parameters enclosed within the braces must be supplied 


n 


An optional parameter or parameters. 


l 


Either the parameter before or after the pipe character can or must be 
selected, but not both. 
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This chapter describes the SG appliance licensing behavior. 

About Licensing 

SGOS 5.x features a global licensing system for the SGOS software. License key files are 
issued on a per-appliance basis. One license key file includes all of the component 
licenses for whichever SGOS features you have elected to use. 



Note: When your Blue Coat appliance order was completed, you received an e-mail 
that contained serial numbers for licensable components. Those numbers are required 
for the procedures in this chapter. 



Licensable Components 

There are three types of licensable components: 

□ Required — The SGOS 5 Base; these features are required on the SG appliance. 

□ Included — Additional SGOS 5.x features, which are provided by Blue Coat and that 
are included in the SGOS 5 base license. 

□ Optional — Any additional (purchased) features. 

When the license key file is created, it contains components of all three types. The 
following table lists the SG appliance licensable components, categorized by type. 



Table 2-1 . Licensable Components 



Type 


Component 


Description 


Required 


SGOS 5 Base 


The Proxy SG operating system, plus base features: HTTP, FTP, TCP- 
Tunnel, SOCKS, and DNS proxy. 


Included 


3rd Party Onbox 
Content Filtering 


Allows use with third-party vendor databases: Intersafe, Op tenet, 
Proventia, SmartFilter, SurfControl, Websense, and Webwasher. 


Included 


Websense 
Offbox Content 
Filtering 


For Websense off-box support only. 


Included 


ICAP Services 


External virus and content scanning with ICAP servers. 


Included 


Bandwidth 

Management 


Allows you to classify, control, and, if required, limit the amount of 
bandwidth used by different classes of network traffic flowing into or 
out of the Proxy SG. 


Included 


Windows Media 
Standard 


MMS proxy; no caching or splitting; content pass-through. Full policy 
control over MMS. 


Included 


Real Media 
Standard 


RTSP proxy for Real Media content; no caching or splitting; content 
pass-through. Full policy control over RTSP. 
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Table 2-1 . Licensable Components (Continued) 



Type 


Component 


Description 


Included 


Apple QuickTime 


RTSP proxy for QuickTime content; no caching or splitting; content 
pass-through. Full policy control over RTSP. 


Included 


Netegrity 

SiteMinder 


Allows realm initialization and user authentication to SiteMinder 
servers. 


Included 


Oracle COREid 


Allows realm initialization and user authentication to COREid servers. 


Included 


Peer-to-Peer 


Allows you to recognize and manage peer-to-peer P2P activity relating 
to P2P file sharing applications. 


Included 


Compression 


Allows reduction to file sizes without losing any data. 


Optional 


SSL Proxy 


Native SSL proxy and Reverse HTTPS Proxy (SSL termination) on the 
Proxy SG. Includes an SSL accelerator card to be installed on the 
appliance. 

Upon upgrading to SGOS 4.2, the license description for an existing SSL 
license changes to "SSL Proxy" instead of "SSL Termination." This is 
simply a description change. SSL termination and SSL Proxy 
functionality are available (when licensed) on SGOS 4.2. 


Optional 


IM 


AOL Instant Messaging: AIM proxy with policy support for AOL Instant 
Messenger. 

MSN Instant Messaging: MSN proxy with policy support for MSN 
Instant Messenger. 

Yahoo Instant Messaging: Yahoo proxy with policy support for Yahoo 
Instant Messenger. 


Optional 


Windows Media 
Premium 


MMS proxy; content caching and splitting. 

Full policy control over MMS. 

When the maximum concurrent streams is reached, all further streams 
are denied and the client receives a message. 


Optional 


Real Media 
Premium 


RTSP proxy for Real Media content; content caching and splitting. 

Full policy control over RTSP. 

When the maximum concurrent streams is reached, all further streams 
are denied and the client receives a message. 


Optional 


SG Client 


Entitles you to support a certain number of SG Clients in your 
enterprise; however, the license does not limit the number of ADN 
tunnels to which clients can have access. SG Client licenses are 
upgradeable so you can support a larger number of users. 

Note: Only the appliance designated as the SG Client Manager requires 
a license. To use SG Clients in your enterprise, you need to apply the 
license only to the Client Manager, and not to any other appliances in 
the ADN network. 



About the Trial Period 

Blue Coat provides a trial period. The initial system boot-up triggers the 60-day trial 
period, during which you can evaluate the SGOS functionality For the first 60 days, all 
licensable components are active and available to use. Furthermore, when a license is 
installed during the trial period (or while using a demo license), components that are not 
part of that license remain available and active during the trial period. 



10 



Chapter 2: Licensing 



Each time you navigate to the Management Console home page or click the Maintenance > 
Licensing tab, a pop-up dialog appears warning you that the trial period expires in so 
many days (a text message is displayed on a Telnet, SSH, or serial console). If you require 
more time to explore the SGOS features, a demo license is available; refer to your reseller 
or contact Blue Coat Sales. 

The trial period streaming and IM licenses are no-count licenses — unlimited streams and 
IM clients are accessible. 

Upon installing licenses after or during the trial period, the Base SGOS, Instant Messaging 
(IM), Windows Media basic, and Real Media premium licenses are also unlimited, but 
Windows Media premium and IM licenses impose user limits established by each license 
type. 

Note: If you invoke the re store -defaults command after you have installed licenses, 
and the serial number of your system is configurable (older boxes only), the licenses fail to 
install and you return to the trial period (if any time is left). 



About License Expiration 

At the end of the trial or demo period or, subsequently, when any normally licensed 
component expires, components that have not been licensed do not process requests. A 
license expiration notification message is logged in the Event Log (refer to the Event log 
information in Volume 10: Managing the Blue Coat SG Appliance for details). 

If a license expires, users might not receive notification, depending upon the application 
they are using. Notifications do occur for the following: 

□ HTTP (Web browsers) — An HTML page is displayed stating the license has expired. 

□ SSL — An exception page appears when an HTTPS connection is attempted. 

□ Instant Messaging clients — Users do not receive a message that the license has expired. 
Any IM activity is denied, and to the user it appears that the logon connection has 
failed. 

□ FTP clients — If the FTP client supports it, a message is displayed stating the license has 
expired. 

□ Streaming media clients — If the Windows Media Player, RealPlayer, or QuickTime 
player version supports it, a message is displayed stating the license has expired. 

□ SG Client — After the trial license has expired, clients cannot connect to the ADN 
network. 

You can still perform SGOS configuration tasks, CLI, SSH console, serial console, or Telnet 
connection. Although the component becomes disabled, feature configurations are not 
altered. Also, policy restrictions remain independent of component availability. 

About the System Serial Number 

Each SG serial number is the appliance identifier used to assign a license key file. The SG 
contains an EEPROM with the serial number encoded. The SG appliance recognizes the 
serial number upon system boot-up. 

The serial number is visible by navigating to Configuration > General > Identification. 
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Obtaining a WebPower Account 

Before you can register your SG and retrieve the license key, you must have a Blue Coat 
WebPower user account. 

If you do not have a WebPower account or have forgotten your account information, use 
the following procedure. 

Procedure: To obtain a WebPower account: 

1. Select Maintenance > Licensing > Install. 

2. In the License Administration field, click Register/Manage. The License Configuration 
and Management Web page appears (ignore the dialog at this time). 

3. Perform one of the following: 

To obtain a new account, click the link for Need a WebPower User ID. Enter the 
information as prompted. 

To obtain your current information for an existing account, click the Forgot your 
password link. 

Registering and Licensing Blue Coat Hardware and Software 

This section describes how to automatically register the system with Blue Coat and, 
through WebPower, generate and retrieve the software license key. Registering and 
licensing involves the followings tasks. 

Note: If the SG appliance does not have Internet access, see "Manual License 
Installation" on page 15. 



Table 2-2. Registration and Licensing Tasks 



Task 


Description 


1 


Register the hardware — The serial number for this SG appliance is already 
linked to your Blue Coat account. This step electronically acknowledges that 
you are ready to activate the system. 


2 


Register the software — This step links the software you ordered with the system (thus 
generating a license key). 


3 


Retrieve the license key — Activates your SGOS features. 



Registering the Hardware 

Procedure: To register the hardware: 

1. Open a browser and ensure pop-up blocking is disabled. 

2. Enter the SGOS Management Console URL. 
https : / / IP_address : 8082 

3. Enter the access credentials specified during initial setup. 

4. Click Management Console. The license warning/ registration page displays. 
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License Warning j 

This device is operating in the trial period. Trial expiration date is 
2006-09-2O 

- Hardware Registration 

@ Register hardware with Blue Coat automatically 
WebPower User ID: | 

Password: 

O Hardware has been manually registered 
Registration Status: 



Register Mow |[ Register Later | [ Help 



5. Enter your WebPower credentials and click Register Now. In the Registration Status 
field, a hardware registration confirmation message appears and the License 
Configuration and Management login Web page displays in a new browser (if you 
disabled pop-up blocking in Step 1). 

6. Select the serial number link of this appliance from the list of Currently Registered 
Hardware. 

Creating a License Key File 

The License Self-Service Web page allows you to create a license key file. Upon 
purchasing the SG appliance from Blue Coat or a reseller, you received an e-mail that 
contains license serial numbers. These serial numbers are required to create the license 
key file. 



Change Hardware Record 



License Self-Service 
You are currently reviewing the software options associated v 

Hardware Model: 400-0, 2x1 0/1 OOBase-T 

Hardware Serial Number: 



Valued Customer: 
Organization: 



IT Manager 

Blue Coat Systems Inc. 



Current Oust Info 

1003020286 - 400 -0, 2x1 0/1 OOBase-T Links 

The following software options are currently linked to this product. To modify this configuration, select the appropriate tab below and follow the 
instructions. 

Software S.M Description Expires Limit 

Get License For Manual Installation. (Opens in a new window.) 
Detailed instructions on downloading your license are available from 
the appliance Management Console. To view these, navigate to 
'Mairrtenance/Licensing" and click the "Help" button at the bottom of 
the screen. 

Update License Key to support additional features in the latest 
releases. Please see Release Notes for more information. 



Go to WebPower 
Contact Technical Support 

Contact Support Services for configuration assistance. 




To link a software option that is not listed above, record the software serial number(s) below and click 'Apply. 



Figure 2-1 . License Self-Service Web Page 
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Procedure: To create a license key file: 




1. In the first field under Add a New Software Option to this appliance, enter the serial 
number for the SGOS 5.x base license. 

2. In the subsequent fields, enter the serial numbers for any optional licenses you 
obtained 

3. Click Apply. A license key is generated and the status is displayed in a dialog. 

4. Log out of WebPower. 

Retrieving the License Key File 

The license key is now ready to be downloaded to the SG. 

1. From the Management Console, select Maintenance>Licensing>lnstall. 

2. In the License Key Automatic Installation field, click Retrieve. The Request License 
dialog displays. 




3. Enter your Blue Coat WebPower user ID and password. 

4. Click Send Request. 

The SG appliance fetches the license associated with the serial number that is 
displayed. 
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5. The Installation Status field displays relevant information. When installation is 
complete, click Results; examine the results and click OK; click Close. The SG 
appliance is now licensed. 

6. Select Maintenance>Licensing>View. 



View | Install 
Licensed Components 



Component 


Valid 


Expiration Date 




SG0S4 


yes 


2006-01-03 


A- 


3rd Party Onbox Content ... 


yes 


2006-01-03 


.il. 


Websense Offbox Conte... 


yes 


2006-01-03 




ICAP Services 


yes 


2006-01-03 




AOL Instant Messaging 


yes 


2006-01-03 


V 



View Details 



Refresh Data 



General License Information 

Hardware serial number:(not available) 

T rial expiration date: 2006-01 -03 



T rial Components are enabled 



| | Disable 



Apply 



Cancel 



Help 



Figure 2-2. Viewing licensed components. 

Each licensable component is listed, along with its validity and its expiration date. 



Note: To view the most current information, click Refresh Data. 



You can also highlight a license component and click View Details. A dialog appears 
displaying more detailed information about that component. For example, a streaming 
component displays the maximum number of streams allowed. 



Manual License Installation 

If the SG appliance does not have Internet access, you can download a . bin file with your 
licensing information. The file can then be installed from a Web server or a local directory. 

Procedure: To manually obtain and install the license: 

1. Select Maintenance>Licensing>lnstall. 

2. Click Register/Manage. A new browser window opens and prompts you for your 
WebPower login. 

3. Enter your WebPower username and password and click Login. 
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Support - License Management 



Currently Registered Hardware: 



The following appliances are currently registered to your organisation: 




le software license for an appliance listed above, select that appliance's serial 



Part Humber 



Description 

400-0, 2*10/100Base-T 



number. 



5. 

6. 
7. 



In the Currently Registered Hardware field, click the serial number of the system you 
want to license. 



Gust Info 

Links 

Go to Web Power 
Contact Technical Support 

Contact Support Services for configuration 
assistance. 

r tubnual Installation. (Opens in a 



your license are available from the appliance 
Ivtanagement Console. To view these, navigate to 
"tV/taintenance/Licensing" and click the "Help" 
button at the bottom of the screen. 

Update Ucense Key to support additional 
features in the latest releases. Please see 
Release Notes for more information. 

This hardware is not entitled with a current Gold or 
Platinum Service contract, which would allow free 
upgrades. SGOS 4 has been released for certain 
hardware. See the Upgrade Guide for more 
details and hardware compatibility. 



In the Cust Info field, click Get License For Manual Installation. You are prompted to 
save a . bin file with the license information. 

Save the .bin file. 

In the License Key Manual Installation field, select one of the following from the drop- 
down list and click Install: 



Note: A message is written to the event log when you install a license through the 
SG appliance. 



Remote URL — If the file resides on a Web server. The Install License Key dialog 
displays. 

Enter the URL path and click Install. The Installation Status field displays relevant 
information. When installation is complete, click Results; examine the results, close 
the window, and click OK. Click Apply. 

Local File — If the file resides in a local directory. The Upload and Install File window 
opens. 




g Detailed instructions on downloading 
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Enter a path to the license file or click Browse and navigate to the file. Click Install. A 
results window opens. Examine the license installation results; close the window. 
Click Close. Click Apply. 

The license is now installed. All features that you subscribed to are fully operational. 

Disabling the Components Running in Trial Mode 

You have the option to not let users access features that are currently running in trial 
mode; however, you cannot selectively disable trial mode features. You must either 
enable all of them or disable all of them. 

Note: When you purchase an SG appliance, some of the licenses are temporarily enabled 
for evaluation purposes. This is called Trial Mode. 

Procedure: To disable trial mode components: 

1. On the View License tab, select Disable in the Trial Components are enabled field. 

2. Click Apply. 

3. Click Refresh Data. All licenses that are in trial mode switch from Yes to No. Users 
cannot use these features. Furthermore, they do not receive nag dialogs warning of 
license expiration. 

Also notice that this option text changes to Trial Components are disabled: Enabled. Repeat 
this process to re-enable trial licenses. 

Updating a License 

After the initial license installation, you might decide to use another feature that requires 
a license. For example, you currently support Windows Media, but want to add Real 
Media support. The license must be updated to allow this support. 

Procedure: To update a license: 

1. Select Maintenance>Licensing>lnstall. 

2. Click Register/Manage. 

3. Follow the instructions on the Blue Coat License Self-Service Web page. 

4. If using the automatic license installation feature, click Update; otherwise, manually 
install the license as described in "Manual License Installation" on page 15. 



Automatically Updating a License 

The license automatic update feature allows the SG appliance to contact the Blue Coat 
licensing Web page 31 days before the license is to expire. If a new license has been 
purchased and authorized, the license is automatically downloaded. If a new license is not 
available on the Web site, the SG appliance continues to contact the Web site daily for a 
new license until the current license expires. Outside the above license expiration 
window, the SG appliance performs this connection once every 30 days to check for new 
license authorizations. This feature is enabled by default. 

Procedure: To configure the license auto-update: 

1. Select Maintenance>Licensing>lnstall. 
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2. Select Use Auto-Update. 

3. Select Apply to commit the changes to the SG appliance. 



Note: If the automatic license update fails and you receive a Load from Blue Coat 
error, you must log on to your License Management account: 

https : / / services . bluecoat . com/ eservice_enu/licensing/mgr . cgi. 

Click Update License Key. 



Related CLI Syntax to Manage Licensing 

SGOS# licensing { disable- trial | enable- trial } 

SGOS# licensing update-key 

SGOS# (config) license-key path url 

SGOS# (config) license-key auto-update {enable | disable} 
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The SGOS software uses the Secure Shell (SSH) and HTTPS protocols to securely access 
the SGOS CLI and Management Console. Both SSHvl and SSHv2 are enabled by 
default, and host keys have already been created on the SG appliance. 

All data transmitted between the client and the SG appliance using SSH /HTTPS is 
encrypted. 

During initial configuration, you assigned the SG appliance a username and password 
and a privileged-mode (enabled /configuration) password. These passwords are 
always stored and displayed hashed. 

This chapter discusses: 

□ "Before You Begin: Understanding Modes" on page 19 

□ "Accessing the SG Appliance" on page 20 

□ "Accessing the Management Console Home Page" on page 21 

□ "Changing the Logon Parameters" on page 22 

□ "Viewing the Appliance Health" on page 25 



Important: 

This chapter assumes that you have completed the first-time setup of the SG appliance 
using either the front panel or serial console, and that the appliance is running on the 
network. These steps must be completed before accessing the appliance. 



You can manage the SG appliance by logging on to and using one of the following: 

□ An SSH session to access the CLI. 

□ The Management Console graphical interface. 

You can also use a serial console to access the CLI. 



Note: To use a Telnet session, you must use a serial console connection until you 
configure Telnet for use. (For security reasons Blue Coat does not recommend using 
Telnet). 



Before You Begin: Understanding Modes 

SGOS 5.x supports different levels of command security: 

□ Standard, or unprivileged, mode is read-only. You can see but not change system 
settings and configurations. This is the level you enter when you first access the CLI. 

□ Enabled, or privileged, mode is read-write. You can make immediate but not 
permanent changes to the SG appliance, such as restarting the system. This is the 
level you enter when you first access the Management Console. 

□ Configuration is a mode within the Enabled mode. From this level, you can perform 
permanent changes to the SG appliance configuration. 
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If you use the Management Console, you are in configuration mode when you log into 
Enabled mode and type conf t. 

If you use the CLI, you must enter each level separately: 

Username : admin 
Password : 

SGOS> enable 
Enable Password: 

SGOS# configure terminal 

Enter configuration commands, one per line. End with CTRL-Z. 

SGOS# (conf ig) 

For detailed information about the CLI and the CLI commands, refer to Volume 12: Blue 
Coat SG Appliance Command Line Reference. 



Note: Although most administrator tasks can be performed using either the 
Management Console or the CLI, there is the occasional task that can only be done using 
one of the two: these are specified in the manual. 



Accessing the SG Appliance 

You can access the SG appliance through either the CLI or the Management Console. By 
default, SSHv2 (CLI) and HTTPS (Management Console) are used to connect to the 
appliance. 

The SSH and HTTPS ports are configured and enabled. For SSH, you can use either 
version 1 or version 2 (with password or RSA client key authentication). 

Accessing the CLI 

If you use the CLI, you can use SSHv2 to access the SG appliance, but you cannot use 
SSHvl or Telnet without additional configuration. 



Note: Enabling the Telnet-Console introduces a security risk, so it is not recommended. 



To use SSHvl, you must first create an SSHvl host key. For more information on creating 
SSH host keys, refer to Volume 3: Proxies and Proxy Services. 

To log on to the CLI, you must have: 

□ the account name that has been established on the SG appliance 

□ the IP address of the SG appliance 

□ the port number (22 is the default port number) 

You must log on from your SSH client. 

Accessing the Management Console 

The Management Console is a graphical Web interface that allows you to manage, 
configure, monitor, and upgrade the SG appliance from any location. 

In the Web browser, enter HTTPS, the SG appliance IP address, and port 8 0 82 (the default 
management port). For example, if the IP address configured during first- time installation 
is 10 .25.36 .47, enter the URL https : //io .25.36.47: 8082 in the Web browser. 
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The Management Console consists of a set of Web pages stored on the SG appliance. The 
appliance acts as a Web server on the management port to serve these pages. From the SG 
home page on the appliance, you can access the configuration, maintenance, and statistics 
pages, and the documentation. The Management Console is supported with a complete 
online help facility to assist you in defining the various configuration options. 



Note: If, when you access the Management Console home page, you get a "host 
mismatch" or an "invalid certificate" message, you need to recreate the security certificate 
used by the HTTPS-Console. For information on changing the security certificate, refer to 
Volume 3: Proxies and Proxy Services : Chapter 2: "About Console Services" on page 13. 



Accessing the Management Console Home Page 

When you access the Management Console home page (see "Accessing the Management 
Console" on page 20), you are prompted to log on to the system. 

Logging On 

Each time you access the Management Console, you must log on. 




192 . 168 , 0,6 
User name: 
Password: 



admin 


V 







[^1 Remember my password 



OK Cancel 



□ The Site is the IP address of the SG appliance to which you are logging on. 

□ The Realm is a configurable name that can be anything you choose. The SG appliance 
IP address is the default. For more information on configuring the realm name, see 
"Changing the SG Appliance Realm Name" on page 24. 

□ The User Name is the name of the account you are using on this SG appliance. The 
name must already exist. It cannot be created here. 

□ The Password is the password for the account you are using. It cannot be changed here. 

You can change the username and password for the console or the CLI. See "Changing the 
Logon Parameters" on page 22. 



Note: All successful and failed logon attempts are logged to the event log. 



Logging Out 

Once you have logged on, you do not have to log on again unless you exit the current 
session or the session times out. The session timeout period, with a default of 900 seconds 
(15 minutes), is configurable. 
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Thirty seconds before the session times out, a warning dialog displays. Click the Keep 
Working button or the X in the upper-right-corner of the dialog box to keep the session 
alive. 



Note: The Keep Working button saves your changes. However, you must log back on to 
work in other pages. 




If you do not click Keep Working or the X in the upper-right-hand corner within the thirty- 
second period, you are logged out. You must log back on to access the Management 
Console. 

Click the hyperlink to log back on. 



Note: If you are on the Management Console home page when the session times out, you 
are logged out without seeing the logout warning dialog. You might not be aware that 
you are logged out until you try to access a Management Console page. You must enter 
the logon information again. 



Changing the Logon Parameters 

You can change the console username and password, the console realm name (which 
displays when you log on to the SG appliance), and the auto-logout timeout (in seconds; 
the default is 900 seconds.) 

The Management Console requires a valid administrator username and password to have 
full read-write access; you do not need to enter a privileged-mode password as you do 
when using the CLI. A privileged-mode password, however, must already be set. 



Note: To prevent unauthorized access to the SG appliance, only give the console 
username and password to those who administer the system. 



Changing the Username and Password 

You can change either the username or the password without changing both. 

Changing the Username 

The console account username was assigned during initial setup of the system. You can 
change the username at any time. 

To change the username: 

1. Select Configuration > Authentication > Console Access > Console Account. 
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Console Account | Console Access 
- Console account 



User name: admin 



Change Password I Change the console password 



Console realm name: 



| | Enforce auto-logout 



Auto-logout (seconds): 900 



Apply 



Cancel 



Help 



Note: Changing the Console Account username or password causes the 
Management Console to refresh and log back on using the new information. Note 
that each parameter must be changed and individually refreshed. You cannot change 
both parameters at the same time. 



2. Enter the username of the administrator or administrator group who is authorized to 
view and revise console properties. 

Only one console account exists on the SG appliance. If you change the console 
account username, that username overwrites the existing console account username. 

The console account username can be changed to anything that is not null and 
contains no more than 64 characters. 

3. Click Apply. 

After clicking Apply, an Unable to Update configuration error is displayed. The username 
change was successfully applied, but the configuration could not be fetched from the 
SG appliance, as the username offered in the fetch request is still the old username. 

4. Refresh the screen. You are then challenged for the new username. 

To change the password: 

The console password and privileged-mode password were defined during initial 
configuration of the system. The console password can be changed at any time. The 
privileged-mode, or enabled-mode, password can only be changed through the CLI or the 
serial console. 

1. Select Configuration > Authentication > Console Access > Console Account. 

2. Click Change Password. 
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3. Enter and re-enter the console password that is used to view and edit configuration 
information. The password must be from 1 to 64 characters long. As you enter the 
new password, it is obscured with asterisks. Click OK. 



Note: This does not change the enabled-mode password. You can only change the 
enabled-mode password through the CLI. 



4. Refresh the screen, which forces the SGOS software to re-evaluate current settings. 
When challenged, enter the new password. 

5. (Optional) Restrict access by creating an access control list or by creating a policy file 
containing < Admin > layer rules. For more information, see Volume 5: Securing the Blue 
Coat SG Appliance : Chapter 3: "Controlling Access to the Internet and Intranet". 

Related CLI Syntax to Change the Username and Password 



Note: Usernames and passwords can each be from 1 to 64 characters in length, but the 
passwords must be in quotes. 



SGOS# (conf ig) security {username username / password " password " \ 

front-panel-pin pin} 

Changing the SG Appliance Realm Name 

The realm name displays when you log on to the Management Console. The default realm 
name is the connection used to access the SG appliance, usually the IP address of the 
system. 

To change the realm name: 

1. Select Configuration > Authentication > Console Access > Console Account. 

2. Enter a new realm name. 

The new realm name displays the next time you log on to the Management Console. 

3. Select Apply to commit the changes to the SG appliance. 

Related CLI Syntax to Change the Realm Name 

SGOS# (conf ig) security management display-realm name 

The new realm name displays the next time you log on to the Management Console. 
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Changing the SG Appliance Timeout 

The timeout is the length of time a session persists before you are logged out. The default 
timeout is 900 seconds (15 minutes). 

To change the timeout: 

1. Select Configuration > Authentication > Console Access > Console Account. 

2. Either deselect Enforce auto-logout (which eliminates auto-logout entirely) or change 
the auto-logout timeout from its default of 900 seconds (15 minutes) to another value 
(in seconds). This is the allowable length of time on the SG appliance before the 
current session times out. Acceptable values are between 300 and 86400 seconds (5 
minutes to 24 hours). 

If you change the timeout value, the change takes effect on the next refresh of any 
Management Console page. 

3. Select Apply to commit the changes to the SG appliance. 

Related CLI Syntax to Change the Timeout 

SGOS# (conf ig) security management auto- logout- timeout seconds 

Viewing the Appliance Health 

The Management Console displays a visual representation of the overall health state of 
the SG appliance. The health states are based on the health monitoring metrics, which are 
described in the Monitoring chapter of Volume 10: Managing the Blue Coat SG Appliance. 

The health icon is located in the upper right corner of the Management Console. 



Configuration 



The following health states are possible: 

□ Ok (Green) 

□ Warning (Yellow) 

□ Critical (Red) 

These states are represented by a text string and a color that corresponds to the health of 
the system (green, yellow or red). The system health changes when one or more of the 
health metrics reaches a specified threshold or returns to normal. 

The Management Console polls the SG appliance every 10 seconds and updates the health 
state indicator accordingly. 

For More Information 

To obtain more information about the health state, click the health icon. Clicking the 
health icon displays the Statistics > Health page, which lists the current condition of the 
system's health monitoring metrics. 

Refer to Volume 10: Managing the Blue Coat SG Appliance for more information about the 
health monitoring metrics. 
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The SG appliance global configurations include: defining the SG appliance name and 
serial number, setting the time, and configuring NTP for your environment. 

The following topics are discussed in this section: 

□ "Configuring the SG Appliance Name" on page 27 

□ "Viewing the Appliance Serial Number" on page 27 

□ "Configuring the System Time" on page 28 

□ "Network Time Protocol" on page 29 

□ "Configuring HTTP Timeout" on page 30 



Configuring the SG Appliance Name 

You can assign any name to a SG appliance. A descriptive name helps identify the 
system. 

To set the SG appliance name: 

1. Select Configuration > General > Identification. 



2. 

3. 

Related CLI Syntax for Setting the SG Appliance Name 

SGOS# (conf ig) hostname name 

Viewing the Appliance Serial Number 

The SG appliance serial number assists Blue Coat Systems Customer Support when 
analyzing configuration information, including heartbeat reports. This number is 
found on the SG appliance. The serial number is visible on the Management Console 
home page. 



Identification 

Unique name for this ProxySG Appliance: 



Name: 1 0.9.59.243 ■ Blue Coat SG1 1 0 



Serial number of the ProxySG Appliance: 
Serial number: 



In the Unique name for this ProxySG Appliance field, enter a name. 
Select Apply to commit the changes to the SG appliance. 
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Configuring the System Time 

To manage objects, the SG appliance must know the current Coordinated Universal Time 
(UTC), which is the international time standard and is based on a 24-hour clock. However, 
time stamps can also record in local time. To do this, local time must also be set based on 
time zones. 

By default, the SG appliance attempts to connect to an NTP server, in the order the servers 
appear in the NTP server list on the NTP tab, to acquire the UTC time. The appliance ships 
with a list of NTP servers available on the Internet. If the appliance cannot access any of 
the listed NTP servers, you must manually set the UTC time. 

Additionally, the SG appliance ships with a limited list of time zones. If a particular time 
zone is missing from the included list, the list can be updated at your discretion. Also, the 
time zone database might need to be updated if the Daylight Savings rules change in your 
area. The list can be updated by downloading the full time zone database from http:// 
download.bluecoat.com/ release/ timezones.tar. 

To set local time: 

1. Select Configuration > General > Clock > Clock. 



Clock | NTP 

Current time: 

UTC: 

Local: 

Timezone: 



America/Los_Angeles 



r Update time zone database 



Installation URL: http:// 



T Method for acquiring UTC: — 

0 Enable NTP 
Query interval (minutes) 



Sync 



Set Time zone 



Acquire UTC time 



2. Click Select Time zone. A popup appears, displaying a list of time zones based on 
geopolitical regions. 




r Select Time zone 



^JTime zones 


W 


i±r- r 1 Pacific 




B~'!g| America 




Anchorage 


Alaska Time 




Denver 


Mountain Time 


• Phoenix 


Mountain Standard Time - Arizona 


Regina 


Central Standard Time - Saskatchewar 


• Chicago 


Central Time 


• Hexico_City 


Central Time - most locations 


New_York 


Eastern Time 


f Bogota 




;±j Indiana 




| Halifax 


Atlantic Time - Nova Scotia (most pJ v 


< 


J L >j — 



| OK | [ Cancel J 
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3. Select the time zone that represents your local time. Once the local time zone is 
selected, event logs record the local time instead of GMT. To add additional time 
zones to the list, update the appliance's time zone database, as described in the 
following procedure. 

To update the database: 

1. Select Configuration > General > Clock > Clock. 

2. Enter the URL from which the database will be downloaded or click Set to default. 

3. Click Install. 

Related CLI Syntax for Adding New Time Zones to the Database: 

SGOS# (config) timezone database-path [ url / default] 

SGOS# (config) load timezone-database 

To acquire the UTC: 

1. Ensure that Enable NTP is selected. 

2. Click Acquire UTC Time. 

Related CLI Syntax for Acquiring and Setting UTC Time: 

SGOS# acquire-utc 

SGOS# (config) clock [subcommands] 

Network Time Protocol 

The Network Time Protocol (NTP) is used to synchronize the time of a computer client or 
server to another server or reference time source, such as a radio or satellite receiver or 
modem. There are more than 230 primary time servers, synchronized by radio, satellite 
and modem. 

The SG appliance ships with a list of NTP servers available on the Internet, and attempts 
to connect to them in the order they appear in the NTP server list on the NTP tab. You can 
add others, delete NTP servers, and reorder the NTP server list to give a specific NTP 
server priority over others. 

The SG appliance uses NTP and the Coordinated Universal Time (UTC) to keep the 
system time accurate. 

You can add and reorder the list of NTP servers the SG appliance uses for acquiring the 
time. The reorder feature is not available. 

To add an NTP server: 

1. Select Configuration > General > Clock > NTP. 
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2. Click New to add a new server to the list. 

3. Enter either the domain name or IP address of the NTP server and click OK. 

4. Select Apply to commit the changes to the SG appliance. 

Related CLI Syntax for Acquiring and Setting UTC Time: 

SGOS# (conf ig) ntp [subcommands] 

To change the access order: 

NTP servers are accessed in the order displayed. You can organize the list of servers so the 
preferred server appears at the top of the list. This feature is not available through the CLI. 

1. Select Configuration > General > Clock > NTP. 

2. Select an NTP server to promote or demote. 

3. Click Promote entry or Demote entry as appropriate. 

4. Select Apply to commit the changes to the SG appliance. 

Configuring HTTP Timeout 

You can configure various network receive timeout settings for HTTP transactions. You 
can also configure the maximum time that the HTTP proxy waits before reusing a client- 
side or server-side persistent connection. You must use the CLI to configure these settings. 
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To configure the HTTP receive timeout setting: 

At the (config) command prompt, enter the following command: 

SGOS# (conf ig) http receive- timeout {client | refresh | server} 

#_seconds 

where: 



client 


# seconds 


Sets the receive timeout for client to # seconds. 
The default is 120 seconds. 


refresh 


# seconds 


Sets receive timeout for refresh to # seconds. The 
default is 90 seconds. 


server 


# seconds 


Sets receive timeout for server to # seconds. The 
default is 180 seconds. 



To configure the HTTP persistent timeout setting: 

At the (config) command prompt, enter the following command: 

SGOS# (conf ig) http persistent- timeout {client | server} #_seconds 

where 



client 


# seconds 


The maximum amount of time the HTTP proxy 
waits before closing the persistent client 
connection if another request is not made. The 
default is 360 seconds. 


server 


# seconds 


The maximum amount of time the HTTP proxy 
waits before closing the persistent server 
connection if that connection is not re-used for 
any subsequent request from the proxy. The 
default is 900 seconds. 
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Blue Coat allows you to use an existing configuration (modified to include only general 
parameters, not system-specific settings) to quickly set up a newly-manufactured SG 
appliance and to save the running configuration off-box for archival purposes. 

This section discusses: 

□ "Sharing Configurations" on page 33 

□ "Archiving a Configuration" on page 36 

Sharing Configurations 

You can share configurations between two SG appliances. You can take a post-setup 
configuration file (one that does not include those configuration elements that are 
established in the setup console) from an already-configured SG appliance and push it 
to a newly-manufactured system. 



Note: Blue Coat Director allows you to push a configuration from one SG 
appliance to multiple appliances at the same time. For more information on using 
Director, see Volume 10: Managing the Blue Coat SG Appliance. 



The new configuration is applied to the existing configuration, changing any existing 
values. This means, for instance, that if the new configuration creates a realm called 
RealmA and the existing configuration has a realm called RealmB, the combined 
configuration includes two realms, RealmA and RealmB. 

To share configurations, you must 

□ Change all "encrypted-password" entries to "password" followed by the actual 
password in quotes. 

□ Change any "hashed-password" entries to "password" followed by the actual 
password in quotes. 

□ Make sure that no services are tied to a specific proxy IP address. 

□ Download a content filter database, if the configuration includes content filtering. 

You can use either the Management Console or the CLI to create a post-setup 
configuration file on one SG appliance and push it to another. 



Note: You cannot push configuration settings to a newly manufactured system 
until you have completed initial setup of the system. 



To create and push a configuration to a newly manufactured SG appliance: 

From the already configured SG appliance: 

1. Select Configuration > General > Archive. 
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Archive Configuration 

- View Current Configuration 
View File: 



Configuration - post setup 



View 



r Install Configuration 

Install Configuration from: 



Local File v 



Install 



2. In the View Current Configuration panel, select the configuration from the drop-down list 
that you want to use for the newly-manufactured machine: 



• Configuration - post setup: This displays the configuration on the current system, 
minus any configurations created through the setup console, such as the 
hostname and IP address. It also includes the installable lists. 



• Configuration - brief: This displays the configuration on the current system, but does 
not include the installable lists. 



• Configuration - expanded: This is the most complete snapshot of the system 
configuration, but it contains system-specific settings that should not be pushed 
to a new system. 

• Results of Configuration Load: This displays the results of the last configuration 
pushed to the system. 

3. View the configuration you selected by clicking View. You can also view the file by 
selecting Text Editor in the Install Configuration panel and clicking Install. 

4. Save the configuration. You can save the file two ways: 

• Save it as a text file on your local system. This is advised if you want to re-use the 
file. 



• Copy the contents of the configuration. (You will paste the file into the Text Editor 
on the newly-manufactured system.) 



To install the configuration on a newly manufactured SG appliance: 

1. Launch the Management Console in a new browser window. 

2. Select Configuration > General > Archive. 

3. The Archive Configuration tab displays. 

4. In the Install Configuration panel, install the configuration using one of the following 
methods: 

• If you saved the file to your system, browse to the location of the Local File, 
highlight the file, and click Install. The configuration is installed, and the results 
screen displays. 

• If you copied the contents of the file, paste it into the Text Editor and click Install. 
The configuration is installed, and the results screen displays. 



Note: A message is written to the event log when you install a configuration 
through the SG appliance. 
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5. Click Close. 

To create and push a configuration to a newly manufactured SG appliance: 

From the already configured SG appliance: 

1. From the enable prompt (#), determine which configuration you want to use for the 
new system. The syntax is: 

show configuration post -setup | brief | expanded 



where: 



post-setup 


This displays the configuration on the current system, minus 
any configurations created through the setup console, such as 
the hostname and IP address. It also includes the installable 
lists. 


brief 


This displays the configuration on the current system, but does 
not include the installable lists. 


expanded 


This is the most complete snapshot of the system configuration, 
but it contains system-specific settings that should not be 
pushed to a new system. 



2. Save the configuration. You can save the file two ways: 

• Copy the contents of the configuration to the clipboard. (Paste the file into the 
terminal on the newly-manufactured system.) 

• Save it as a text file on a download FTP server accessible to the SG appliance. This 
is advised if you want to re-use the file. 

3. On the newly-manufactured SG appliance, retrieve the configuration file by doing 
one of the following: 

• If you saved the configuration to the clipboard, go to the (conf ig) prompt and 
paste the configuration into the terminal. 

• If you saved the configuration on the FTP server: 

At the enable command prompt, enter the following command: 

SGOS# configure network "url" 

where url must be in quotes and is fully-qualified (including the protocol, server 
name or IP address, path, and filename of the configuration file). The 
configuration file is downloaded from the server, and the SG appliance settings 
are updated. 



Note: If you rename the archived configuration file so that it does not contain 
any spaces, the quotes surrounding the URL are unnecessary. 



The username and password used to connect to the FTP server can be embedded 
into the URL. The format of the URL is: 
f tp : / /username : pas sword@ftp- server 

where ftp- server is either the IP address or the DNS resolvable hostname of the 
FTP server. 
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If you do not specify a username and password, the SG appliance assumes that an 
anonymous FTP is desired and thus sends the following as the credentials to 
connect to the FTP server: 

username : anonymous 
password: proxy@ 

Archiving a Configuration 

In the rare case of a complete system failure, restoring a SG appliance to its previous state 
is simplified by loading an archived system configuration from an FTP or TFTP server. 
The archive, taken from the running configuration, contains all system settings differing 
from system defaults, along with any installable lists configured on the SG appliance. 

Archive and restore operations must be done through the CLI. 



Note: You can archive a system configuration to an FTP or TFTP server that allows 
either anonymous logon or requires a specific username and password. Likewise, to 
restore a system configuration, the server storing the archive can be configured either to 
allow anonymous logon or to require a username and password. 



To prepare to archive a system configuration 

1. Obtain write permission to a directory on an FTP server. This is where the archive will 
be stored. 

The system configuration must be stored using FTP. 

2. At the (config) command prompt, enter the following commands: 

SGOS# (conf ig) archive-configuration protocol {ftp | tftp} 

SGOS# (config) archive-configuration host hostname 

where hostname is the IP address of the server. 



Note: TFTP does not require a password, path, or username. 



SGOS# (conf ig) archive-configuration password password 
-or- 

SGOS# (conf ig) archive-configuration encrypted-password encrypted- 
password 

where password is the password (or encrypted password) used to access the server. 

SGOS# (conf ig) archive-configuration path path 

where pa th is the directory on the server where the archive is to be stored, relative to 
the preset FTP directory. 

SGOS# (conf ig) archive-configuration filename-prefix filename 

where filename can contain % strings that represent the information in the upload 
filename. If you do not use the filename command, the SG appliance creates a name 
with a timestamp and the filename SG_last-ip-octet_timestamp . For % string 
substitutions, see Volume 9: Access Logging. 

SGOS# (conf ig) archive-configuration username username 
where user name is the username used to access the server. 
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Example Session 

SGOS# (conf ig) 
ok 

SGOS# (conf ig) 
ok 

SGOS# (conf ig) 
ok 

SGOS# (conf ig) 
ok 

SGOS# (conf ig) 
ok 



archive -configuration 
archive -configuration 
archive -configuration 
archive -configuration 
archive -configuration 



host 10.25.36.47 
password access 
username adminl 

path ftp : //archive . server/stored 
protocol ftp 



Note: To clear the host, password, or path, type the above commands using empty 
double-quotes instead of the variable. For example, to clear the path, enter archive - 
configuration path "" . 



To archive a system configuration: 

At the enable command prompt, enter the following command: 

SGOS# upload configuration 

To restore a system configuration: 

At the enable command prompt, enter the following command: 

SGOS# configure network "url" 

See "Sharing Configurations" on page 33 for more information about formatting the URL 
for FTP. 

Troubleshooting 

When pushing a shared configuration or restoring an archived configuration, keep in 
mind the following issues: 

□ Encrypted passwords (login, enable, and FTP) cannot be decrypted by a device other 
than that on which it was encrypted. If you were sharing a configuration, these 
encrypted passwords were probably already created before the configuration was 
pushed to the system. 

□ If the content filtering database has not yet been downloaded, any policy that 
references categories is not recognized. 

□ The following passwords must be re-created (if you use the application specified): 

• administrator console passwords (not needed for shared configurations) 

• privileged-mode (enable) passwords (not needed for shared configurations) 

• the front-panel PIN (recommended for limiting physical access to the system) 

• access log FTP client passwords (primary, alternate) 

• archive configuration FTP password 

• RADIUS primary and alternate secret 

• LDAP search password 

• SmartFilter download password 

• WebSense3 download password 
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• SNMP read, write, and trap community strings 

• RADIUS and TACACS+ secrets for splash pages 

□ A full download of the content filtering database must be done. 

□ SSH certificate keys must be imported. 

□ SSL certificate keys must be imported 

In addition, you should make sure the system is functioning whenever you add a feature. 
For example, make sure the system works after basic configuration; then, after you add 
authentication, recheck the system. 
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This chapter describes SG network adapters and the adapter interfaces; the following 
topics are discussed: 

□ " About Adapters" on page 39 

□ "About Virtual LAN Configuration" on page 39 

□ "Configuring an Adapter" on page 42 

□ "Configuring Interface Settings" on page 45 

□ "Detecting Network Adapter Faults" on page 47 

About Adapters 

SG appliances ship with one or more network adapters installed on the system, each 
with one or more interfaces. This chapter describes how to change interface parameters 
or configure additional adapters or virtual LANs in the appliance. You can also accept 
or reject inbound connections, change link settings in the event the system did not 
correctly determine them, and configure the browser for proxy settings. 

As you select adapters from the picklist, the Adapter panel (Configuration > Network > 
Adapters) displays the state of the configured adapter and its interfaces. 



Note: In Blue Coat documentation, the convention for the interface is 
adapter, interface. For example, 0 : 0. 



About Virtual LAN Configuration 

This section discusses Virtual LAN (VLAN) deployments. 

About VLAN Deployments 

VLANs are created to group multiple physical network segments into individual 
broadcast domains. The benefit to this is that clients can be organized logically — for 
example, based on organization — rather than limited to physical connections to 
interfaces. Because networks recognize VLANs as they do physical LANs, each VLAN 
can have an IP prefix assigned to it. This enables IP routing of traffic flow between 
VLANs, which allows for targeted traffic relaying rather than broadcasting to all 
connected hosts. 

VLAN configuration occurs on the switch. The network administrator specifies which 
ports belong to which VLANs. The following diagram illustrates a port-based VLAN 
configuration. Clients on network segments attached to switch ports 1 and 2 belong to 
VLAN 1, which has the network address 10 . o . l . x; network segments attached to 
switch ports 14 and 15 belong to VLAN 2, which has the network address 10 . o . 2 . x. 
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Figure 6-1 . Multiple VLANs connected to ports on one switch 

As also illustrated in the diagram, clients of different OS types can reside within a VLAN. 
However, not all clients are able to detect (send or receive) VLAN-tagged packets. 



About VLAN Trunking 

On the packet level, VLAN identification is achieved by the switch tagging , or inserting, 
the VLAN ID (VID) into the packet header. This allows the next switch inline to know the 
location of the destination VLAN. When VLANS span multiple switches, a trunk data link 
between switches that carries traffic associated with multiple VLANs is required. The 
trunk link is attached to a switch port designated for inter-switch communication. 

In the following diagram, multiple VLANs are connected by trunk data link between two 
switches. 




Figure 6-2. Two switches connected by a trunk 



About Native VLANs 

Each switch port has a designated native VLAN. On any given switch, each port might 
have a different Native VLAN configured on it. While native VLAN connections 
themselves are not tagged, they can carry both tagged and untagged VLAN traffic. 
Connections destined to the native VLAN have their packets sent out untagged, and 
connections destined to non-native VLANs have their packets sent out tagged. The 
default VID on most switches is 1. 

The trunk link carries both the native VLAN (untagged) and all other VLAN (tagged) 
packets, as illustrated in the following diagram. 
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Switch 1 



Cannot send/ 
receive tags 



VLAN 1 

Clients: 1 , 2 , and 3 
Switch ports: 1, 2, and 3 
Subnet: 10.0.1 .x 



Trunk link carrying: 
(Native) VLAN 1 
VLAN 2 



VLAN 2 

Clients: 4 and 5 
Switch ports: 7 and S 
Subnet: 10.0 2 x 



( LAN ) 

Listening on: 

10.0. 1.1 on VLAN 1 

10.0. 2.1 on VLAN 2 



Figure 6-3. A switch broadcasting native and regular VLAN traffic over a trunk 



In this example, the client attached to port 7 belongs to VLAN 2. Even though it is part of 
VLAN2, it does not set tags or receive VLAN-tagged packets. The switch knows the 
packet belongs to VLAN 2 and tags it accordingly. Conversely, it strips the VLAN 2 tag on 
the response. The trunk link broadcasts VLAN 1 (the native) and 2 traffic to a router that 
accepts the subnets of those VLANs. 

Deployment complications arise when a device (other than a router) is required between 
switches. Without VLAN tagging support, any network device deployed in between 
switches either drops all VLAN-tagged traffic or passes it through by a bridging 
configuration. 

This creates a problem if, for example, users located on different floors all belong to 
VLAN 1, but are separated by proxy that does not recognize VLAN-tagged packets. 



Note: In Blue Coat documentation, the convention for VLAN is 

adapter, interface . vlan_id. Lor example, 0 : 0 . l is the native VLAN on adapter o, 

interface o. 



The Blue Coat Solution 

SGOS 5.1.4 and later supports VLAN tagging; therefore, a SG appliance can be deployed 
inline with switches that are routing VLAN traffic. This allows for uninterrupted VLAN 
service, plus enables benefits gained with the proxy features. 

The Management Console enables you to configure VLAN interfaces the same way you 
configure physical interfaces. After a VLAN is added, it appears in the list of network 
interfaces. Properties such as allow-intercept and re j ect- inbound are applicable to 
VLAN interfaces. 

The most common deployment is a SG appliance residing between two switches or a 
switch and a router that is forwarding or bridging traffic; in these cases, preserving tagged 
packets is essential to your network. 
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As the SG appliance strips outgoing native VLAN tags, trunking on both interfaces is 
required to both recognize and preserve the tagged packets. 



Interface: 0:0 Interface; CM 

Trunking: enabled Trunking: enabled 



Figure 6-5. Trunking enabled on two SG appliance physical interfaces 

Based on this deployment: 

□ The SG appliance accepts all packets, regardless of their tag, and, if configuration and 
policy allows, passes them from one interface to the other with the original VLAN 
tagged preserved. 

□ If a packet arrives on one interface on VLAN 2, it remains on VLAN 2 when it is 
forwarded out another interface. If a packet arrives untagged and the destination 
interface has a different native VLAN configured, the SG appliance adds a tag to 
ensure the VLAN is preserved. Similarly, if a tagged packet arrives and the VLAN ID 
matches the native VLAN of the destination interface, the SG appliance removes the 
tag before forwarding the packet. 




Note: Bridge groups cannot be based on VLANs. 



Configuring an Adapter 

The following procedure describes how to configure an adapter. Repeat the process if the 
system has additional adapters. 



42 



Chapter 6: Adapters 



To configure a network adapter: 

1. Select Configuration > Network > Adapters > Adapters. 



Note: Different SG appliance models have different adapter configurations, 
and the appearance of the Adapters tab varies accordingly. 




Notice that in the Interfaces field, a message displays stating whether the interface 
belongs to a bridge. For more information about network bridging, see Chapter 7: 
"Software and Hardware Bridges" on page 49. 

3. (Optional) If you have a multiple-interface adapter, select an interface from the drop- 
down list. 

4. Enter the IP address and subnet mask for the interface into the IP address for interface 
x and Subnet mask for interface x fields (where interface x refers to the interface 
selected in the Interfaces drop-down list.) 

5. (Optional) To configure link settings, restrict inbound connections, or set up browser 
proxy behavior for the adapter, select the interface and click Settings. Enter any 
changes and click OK to close the Settings dialog. 

See "Configuring Interface Settings" on page 45 for more information about 
configuring adapter settings. 



Note: The default is to permit all inbound connections. You should always 
manually configure link settings to avoid problems. The browser default is to use the 
proxy's default PAC file. (See "Configuring Interface Settings" on page 45 below for 
more information on link settings and inbound connections. 
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6. If applicable, configure Virtual LAN (VLAN) options (see " About Virtual LAN 

Configuration" on page 39): 

a. By default, the native VID for any SG appliance interface is 1, as most 
switches by default are configured to have their native VIDs as 1 . Only 
change this value if the native VID of the switch connected to this interface is 
a value other than 1 ; match that value here. 

b. If this SG appliance is inline to forward or bridge traffic, select enable 
trunking to make the link to this interface a data link from the router that 
recognizes VLAN-tagged packets from multiple- VLAN sources. 

c. To add more VLANs (not the native VLAN) to the interface, click Configure > 
VLANs. 




d. Click Add to display the VLAN dialog. 

e. Specify the VLAN ID (VID) number of the VLAN accepted on this interface. 

f. Specify the VLAN IP address and subnet mask. 

g. The receiving packet and browser behavior is the same as for physical 
interfaces. See "Configuring Interface Settings" on page 45". 

h. Click OK in both dialogs. 

7. Click Apply. 
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Related CLI Syntax to Configure an Adapter/Native VLAN 

□ To enter configuration mode: 

SGOS# (conf ig) interface f ast-ethernet adapter : interface 
SGOS# (conf ig) interface adapter : interface 

□ The following VLAN subcommands are available: 

SGOS# (conf ig interface adapter : interface) native-vlan # 

SGOS# (conf ig interface adapter : interface . vlan_id) vlan- trunk {enable | 
disable} 

Configuring Interface Settings 

The Settings button in the Interfaces field allows you to restrict inbound connections on 
the selected adapter, and to select manual or automatic configuration of the adapter link 
settings. 

The default for Inbound connections is to permit all incoming connections. Although link 
settings can be automatically configured. Blue Coat recommends manually setting them. 



Note: Rejecting inbound connections improperly or manually configuring link settings 
improperly might cause the SG appliance to malfunction. Ensure that you know the 
correct settings before attempting either of these. If the SG fails to operate properly after 
changing these settings, contact Blue Coat Support. 



Disabling Transparent Interception 

This feature enables the administrator to specify the interfaces that will intercept traffic. 
By default, the SG appliance intercepts connections in both directions. Using this feature, 
the administrator can configure it to intercept the connection in only one direction. 



Note: To use this feature, reject - inbound must be disabled. 



To bypass transparent interception: 

1. Select Configuration > Network > Adapters > Adapters. 

2. Select an adapter from the Adapter drop-down list. 

3. Click Settings. 





- When receiving packets on this interface: 

O Allow transparent interception 
( (*) Bybass transparent interception 

^Tirewall incoming traffic 







4. Select Bypass Transparent Interception. 

5. Click OK to close the Settings dialog. 

6. Click Apply. 
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Related CLI Syntax to Disable Transparent Interception 

□ To enter configuration mode for standard interfaces: 

SGOS#(config interface adapter : interface) allow- intercept {enable | 
disable} 

□ To enter configuration mode for VLAN interfaces: 

SGOS#(config interface adapter : interface . vlan_id) allow-intercept 
{enable | disable} 

Rejecting Inbound Connections 

This feature enables the administrator to reject all inbound traffic. If enabled, all inbound 
traffic is silently dropped — except for console access traffic. The default setting is 
disabled; the SG appliance allows inbound connections on all network adapters. 

To reject inbound connections: 

1. Select Configuration > Network > Adapters > Adapters. 

2. Select an adapter from the Adapter drop-down list. 

3. Click Settings. 





- When receiving packets on this interface: 

0 Allow transparent interception 
^-QU^pass transparent interception 
( (*) Firgwall incoming traffic 







4. Select Firewall Incoming Traffic. 

5. Click OK to close the Settings dialog. 

6. Click Apply. 

Related CLI Syntax for Rejecting Inbound Connections 

□ To enter configuration mode for standard interfaces: 

SGOS#(config interface adapter : interface) re j ect- inbound {enable | 
disable} 

□ To enter configuration mode for VLAN interfaces: 

SGOS#(config interface adapter : interface . vlan_id) re j ect- inbound 
{enable | disable} 

Using reject-inbound and allow-intercept 

The allow-intercept and re j ect- inbound commands are interface-level 
configurations and are not bridge-specific. The reject- inbound command always has 
precedence. 

The following table describes how traffic is handled for the three possible settings of these 
options. 
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Table 6-1 . Command Interaction for Reject-Inbound and Allow-lntercept 



reject- 

inbound 


allow- 

intercept 


Non-proxy ports 
(mgmt-console, 
ssh, etc) 


Explicit proxy 
ports 


Transparent 
proxy ports 


Other ports 


Disabled 


Enabled 


Terminated 


Terminated 


Terminated 


Forwarded 


Disabled 


Disabled 


Terminated 


Terminated 


Forwarded 


Forwarded 


Enabled 


Enabled/ 

Disabled 


Silently dropped 


Silently dropped 


Silently dropped 


Silently dropped 



Manually Configuring Link Settings 

By default, the SGOS software automatically determines the link settings for all network 
adapters. However, Blue Coat strongly recommends manually setting the link settings to 
avoid problems. 

To manually configure link settings: 

1. Select Configuration > Network > Adapters > Adapters. 

2. Select an adapter from the Adapters drop-down list. 

3. Click Settings. 

4. Select Manually configure link settings. 

5. Select Half or Full duplex. 

6. Select the correct network speed. 

7. Click OK to close the Advanced Settings dialog. 

8. Click Apply. 

Related CLI Syntax to Manually Configure Link Settings 

□ To enter configuration mode for standard interfaces: 

SGOS#(config interface adapter : interface) {full-duplex | half -duplex} 

Configuring Proxies 

To configure proxies, refer to Volume 3: Proxies and Proxy Services. 

Detecting Network Adapter Faults 

The SG appliance can detect whether the network adapters in an appliance are 
functioning properly. If the appliance finds that an adapter is faulty, it stops using it. 
When the fault is remedied, the SG appliance detects the functioning adapter and uses it 
normally. 

To determine whether an adapter is functioning properly: 

1. Check whether the link is active (that is, a cable is connected and both sides are up). 

2. Check the ratio of error packets to good packets: both sent and received. 

3. Check if packets have been sent without any packets received. 
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If an adapter fault is detected and the adapter has an IP address assigned to it, the SG 
appliance logs a severe event. When an adapter does not have an IP address, the appliance 
does not log an entry. 
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This chapter describes the SGOS hardware and software bridging capabilities. Network 
bridging through the SG appliance provides transparent proxy pass-through and 
failover support. 

The following topics are discussed: 

□ " About Bridging" 

□ "About the Pass-Through Adapter" on page 51 

□ "Configuring a Software Bridge" on page 51 

□ "Customizing the Interface Settings" on page 53 

□ "Setting Bandwidth Management for Bridging" on page 54 

□ "Configuring Failover" on page 54 

About Bridging 

Bridging functionality allows SG appliances to be easily deployed as transparent 
redirection devices, without requiring the additional expense and maintenance of L4 
switches or WCCP-capable routers. Bridging is especially useful in smaller 
deployments in which explicit proxies, L4 switches, or WCCP-capable routers are not 
feasible options. 



Important: Bridge interfaces cannot be used in WCCP configurations. If the 
configuration includes bridge interfaces, you will receive the following error if you 
attempt to load the WCCP configuration file: 

Interface 0:0 is member of a bridge 



Bridges are used to segment Ethernet collision domains, thus reducing frame collisions. 
Unlike a hub, a bridge uses a frame's destination MAC address to make delivery 
decisions. Because these decisions are based on MAC addressing, bridges are known as 
Layer 2 devices. 

To make efficient delivery decisions, the bridge must discover the identity of systems 
on each collision domain, and then store this information in its bridging table. After 
learning the identity of the systems on each collision domain, the bridge uses the source 
MAC address of frames to determine from which interface a given system can be 
reached. 

A branch office that would take advantage of a bridging configuration is likely to be 
small; for example, it might have only one router and one firewall in the network, as 
shown below. 
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LAN 




Figure 7-1. A Bridged Configuration 

To ensure redundancy, the SG appliance supports both serial and parallel failover modes. 
See " Configuring Failover" for more information about serial and parallel failover 
configurations. 

Traffic Handling 

Because the bridge intercepts all traffic, you can take advantage of the powerful proxy 
services and policies built into the SG appliance to control how that traffic is handled. If 
the SG appliance recognizes the intercepted traffic, you can apply policy to it. 
Unrecognized traffic is forwarded out. This traffic handling flow is shown in the following 
figure. 




Figure 7-2. Traffic Flow Decision Tree 

Because policy can be applied only to recognized protocols, it is important to specify port 
ranges that will capture all traffic, even that operating on lesser-known ports. 



Bridging Methods 

The SG appliance provides bridging functionality by two methods: 

□ Software — A software, or dynamic, bridge is constructed using a set of installed 
interfaces. Within each logical bridge, interfaces can be assigned or removed. 

See "Configuring a Software Bridge" on page 51 for more information. 
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□ Hardware — A hardware, or pass-through , bridge uses a 10/100 dual interface Ethernet 
adapter. This type of bridge provides pass-through support. 

See " About the Pass-Through Adapter" for more information. 



Note: If you want to use an L4 switch, WCCP, or an explicit proxy instead of 
bridging, you must disable the bridging pass-thru card. 



About the Pass-Through Adapter 

A pass-through adapter is a 10/100 dual interface Ethernet adapter designed by Blue Coat 
to provide an efficient fault-tolerant bridging solution. If this adapter is installed on an SG 
appliance, SGOS detects the adapter upon system bootup and automatically creates a 
bridge — the two Ethernet interfaces serve as the bridge ports. If the SG appliance is 
powered down or loses power for any reason, the bridge fails open; that is, Web traffic 
passes from one Ethernet interface to the other. Therefore, Web traffic is uninterrupted, 
but does not route through the appliance. 



Important: This scenario creates a security vulnerability. 



Once power is restored to the SG appliance, the bridge comes back online and Web traffic 
is routed to the appliance and thus is subject to that appliance's configured features, 
policies, content scanning, and redirection instructions. Note that bridging supports only 
failover; it does not support load balancing. 

The following figure provides an example of how the SG appliance indicates that an 
installed adapter is a pass-through adapter. 





Adapter 0 


□ 






■ 





Figure 7-3. Pass-through Adapter 



Note: The adapter state is displayed on Configuration>Network>Adapters. 



Configuring a Software Bridge 

This section describes how to use the Management Console or the CLI to link adapters 
and interfaces to create a network bridge. 

Before configuring a software bridge, ensure that your adapters are of the same type. 
Although the software does not restrict you from configuring bridges with adapters of 
different speeds (10/100 or GIGE, for example), the resulting behavior is unpredictable. 

To create and configure a software bridge: 

1. Select Configuration > Network > Adapters > Bridges. 

2. Click New. 
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3. In the New Bridge Name field, enter a name for the bridge — up to 16 characters. 

4. (Optional) If you want to assign the bridge to a failover group select it from the 
Failover Group drop-down list. 

See "Configuring Failover" on page 54 for more information about configuring 
failover. 



Create Bridge Interface 




5b 



5. Assign an interface to the bridge. 
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a. In the Create Bridge window, click New. The Create Bridge Interface dialog 
displays. 

b. In the Interface drop-down menu, select an interface. 




c. (Optional) If you want to enable bridging loop avoidance, click Enable 
Spanning Tree. 

See "Bridging Loop Detection" on page 56 for more information about the 
Spanning Tree Protocol. 

d. Click OK. 

e. Repeat Steps a to d for each interface you want to attach to the bridge. 

6. Click OK to close the Create Bridge Interface and Create Bridge dialogs. 

7. Select Apply to commit the changes to the SG appliance. 

Related CLI Syntax to Configure a Software Bridge 

SGOS# (conf ig) bridge 

SGOS#(config bridge) edit bridge_name 

Customizing the Interface Settings 

To further customize the bridge, edit the interface settings. 

Editing the interface settings allows you to 

□ Allow transparent interception (allow- intercept). 

□ Reject inbound connections (reject - inbound). 

□ Configure link settings. 

See "Configuring Interface Settings" on page 45 for more information. 

The Bridge Settings options allow you to clear bridge forwarding table and clear bridge 
statistics. 
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Setting Bandwidth Management for Bridging 

After you have created and configured a bandwidth management class for bridging, you 
can manage the bandwidth used by all bridges. Refer to Volume 6: Advanced Networking for 
more information on bandwidth management. 

To configure bandwidth management for bridging: 

1. Select Configuration > Network > Adapters > Bridges. 




2. In the Bridging Bandwidth Class drop-down menu, select a bandwidth management 
class to manage the bandwidth for bridging, or select <none> to disable bandwidth 
management for bridging. 

3. Select Apply to commit the changes to the SG appliance. 

Related CLI Syntax to Set a Bridging Bandwidth Class 

SGOS#(config bridge) bandwidth- class bridge_name 
SGOS# (conf ig) bandwidth-management 

SGOS#(config bandwidth-management) [ subcommands ] 

Configuring Failover 

You can configure failover for software bridges, but not for hardware bridges. 

In failover mode, two appliances are deployed, a master and a slave. The master sends 
keepalive messages (advertisements) to the slaves. If the slaves do not receive 
advertisements at the specified interval, the slave takes over for the master. When the 
master comes back online, the master takes over from the slave again. 

The SGOS bridging feature supports two different types of failover modes, parallel and 
serial. 



54 





Chapter 7: Software and Hardware Bridges 



Parallel Failover 

In parallel failover mode, two systems are deployed side by side on redundant paths. In 
parallel failover, the slave does not actively bridge any packets unless the master fails. If 
the master fails, the slave takes over the master IP address and begins bridging. A parallel 
failover configuration is shown in the following figure. 




Slave 



Because of the redundant paths, you must enable Spanning Tree to avoid bridge loops. 
See "Bridging Loop Detection" on page 56 for more information about STP. 

Serial Failover 

In serial failover mode, the slave is inline and continuously bridges packets, but does not 
perform any other operations to the bridged traffic unless the master fails. If the master 
fails, the slave takes over the master IP address and applies policy, etc. A serial 
configuration is shown in the following figure. 




Setting Up Failover 

Failover is accomplished by doing the following: 

□ Creating virtual IP addresses on each proxy. 

□ Creating a failover group. 

□ Attaching the bridge configuration. 

□ Selecting a failover mode (parallel or serial). 

One of the proxies must be designated with a higher priority (a master proxy). 
Example 

The following example creates a bridging configuration with one bridge on standby. 



Note: This deployment requires a hub on both sides of the bridge or a switch 
capable of port mirroring. 
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□ SG A — software bridge IP address: 10 . 0 . 0 . 2 . Create a virtual IP address and a 
failover group, and designate this group the master. 

SG_A# (conf ig) virtual -ip address 10.0.0.4 

SG_A# (conf ig) failover 

SG_A#(config failover) create 10.0.0.4 
SG_A#(config failover) edit 10.0.0.4 
SG_A#(config failover 10.0.0.4) master 
SG_A#(config failover 10.0.0.4) priority 100 
SG_A#(config failover 10.0.0.4) interval 1 

□ SG B — software bridge IP address: 10.0.0.3. Create a virtual IP address and a 
failover group. 

SG_B# (conf ig) virtual-ip address 10.0.0.4 

SG_B# (conf ig) failover 

SG_B#(config failover) create 10.0.0.4 
SG_B#(config failover) edit 10.0.0.4 
SG_B#(config failover 10.0.0.4) priority 100 
SG_B#(config failover 10.0.0.4) interval 1 

□ In the bridge configuration on each SG appliance, attach the bridge configuration to the 
failover group: 

SG_A#(config bridge bridge_name ) failover 10.0.0.4 
SG_B#(config bridge bridge_name ) failover 10.0.0.4 

□ Specify the failover mode: 

SG_A#(config bridge bridge_name) failover serial 
SG_B#(config bridge bridge_name) failover serial 

Bridging Loop Detection 

Bridging now supports the Spanning Tree Protocol (STP). STP is a link management 
protocol that prevents bridge loops in a network that has redundant paths that can cause 
packets to be bridged infinitely without ever being removed from the network. 

STP ensures that a bridge, when faced with multiple paths, uses a path that is loop-free. If 
that path fails, the algorithm recalculates the network and finds another loop-free path. 

The administrator can enable or disable spanning tree participation for the interface. 

Enable spanning tree participation: 

1. Select Configuration > Network > Adapters > Bridges. 

2. Select the desired bridge. 

3. Click Edit. 
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4. In the Edit Bridge window, highlight the interface you want to configure and click 

Edit. The Edit Bridge Interface dialog displays. 
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5. Click Enable Spanning Tree. 

6. Click OK to close the Edit Bridge Interface and Edit Bridge windows. 

7. Select Apply to commit the changes to the SG appliance. 

Related CLI Syntax to Enable Spanning Tree Participation 

SGOS#(config bridge bridge_name) spanning- tree adapter#: interface# 

{enable | disable} 

Adding Static Forwarding Table Entries 

Certain firewall configurations require the use of static forwarding table entries. Failover 
configurations use virtual IP (VIP) addresses and virtual MAC (VMAC) addresses. When 
a client sends an ARP request to the firewall VIP, the firewall replies with a VMAC (which 
can be an Ethernet multicast address); however, when the firewall sends a packet, it uses a 
physical MAC address, not the VMAC. 

The solution is to create a static forwarding table entry that defines the next hop gateway 
that is on the correct side of the bridge. 

To create a static forwarding table: 

1. Select Configuration > Network > Adapters > Bridges. 

2. Select the bridge you want to edit and click Edit. The Edit Bridge Interface dialog 
displays. 
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Edit Bridge 



Edit Bridge Interface 





3. Add the static forwarding table entry. 

a. In the Edit Bridge window, select the interface on which to create the static 
forwarding table entry. 

b. Click Edit. 

c. In the Edit Bridge Interfaces window, click Add. 

d. In the Add Mac window, add the MAC address of the next hop gateway and 
click OK. 



4. Click OK to close the Edit Bridge Interface and Edit Bridge windows. 

5. Select Apply to commit the changes to the SG appliance. 



Related CLI Syntax to Create a Static Forwarding Table Entry 

SGOS#(config bridge bridge_name ) static- fwtable-entry 
adapter#: interface# mac-address 



Bypass List Behavior 

The dynamic bypass list is handled differently, depending on the OS version. In SGOS 4.x, 
packets matching the dynamic bypass list are forwarded in the IP layer. In SGOS 5.x, the 
packets are forwarded in the bridge layer, which is more appropriate and efficient. For 
more information on using bypass lists in SGOS 5.x, refer to Volume 3: Proxies and Proxy 
Services. 
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The behavior of the static bypass list stays the same. The packets are forwarded in IP layer. 
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A key feature of the SGOS software is the ability to distribute traffic originating at the 
appliance through multiple gateways. You can also fine tune how the traffic is 
distributed to different gateways. This feature works with any routing protocol (such 
as static routes or RIP). 



Note: Load balancing through multiple gateways is independent from the per- 
interface load balancing the SG appliance automatically does when more than 
one network interface is installed. 



This chapter discusses: 

□ " About Gateways" 

□ "SG Appliance Specifics" on page 61 

□ "Switching to a Secondary Gateway" on page 62 

□ "Routing" on page 62 

About Gateways 

During the initial setup of the SG appliance, you optionally defined a gateway (a device 
that serves as entrance and exit into a communications network) for the SG appliance. 

By using multiple gateways, an administrator can assign a number of available 
gateways into a preference group and configure the load distribution to the gateways 
within the group. Multiple preference groups are supported. 

The gateway specified applies to all network adapters in the system. 

SG Appliance Specifics 

Which gateway the SG appliance chooses to use at a given time is determined by how 
the administrator configures the assignment of preference groups to default gateways. 
You can define multiple gateways within the same preference group. A SG appliance 
can have from 1 to 10 preference groups. If you have only one gateway, it automatically 
has a weight of 100. 

Initially, all gateways in the lowest preference group are considered to be the active 
gateways. If a gateway becomes unreachable, it is dropped from the active gateway list, 
but the remaining gateways within the group continue to be used until they all become 
unreachable, or until an unreachable gateway in a lower preference group becomes 
reachable again. If all gateways in the lowest preference group become unreachable, 
the gateways in the next lowest preference group become the active gateways. 
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In addition to a preference group, each gateway within a group can be assigned a relative 
weight value from 1 to 100. The weight value determines how much bandwidth a 
gateway is given relative to the other gateways in the same group. For example, in a 
group with two gateways, assigning both gateways the same weight value, whether 1 or 
100, results in the same traffic distribution pattern. In a group with two gateways, 
assigning one gateway a value of 10 and the other gateway a value of 20 results in the SG 
appliance sending approximately twice the traffic to the gateway with a weight value of 
20 . 

Switching to a Secondary Gateway 

When a gateway goes down, the networking code detects the unreachable gateway in 20 
seconds, and the switch over takes place immediately if a secondary gateway is 
configured. All configured gateways are affected, not just default gateways, as was the 
case in earlier releases. 

To configure multiple gateway load balancing: 

1. Select Configuration > Network > Routing > Gateways. 



Gateways j Routing j RIP 

- IP gateways: 

Group Weight Gateway 




New j [ Edit ] [ Delete 



- IP Forwarding 

□ Enable IP forwarding 



2. Click New. 

3. Enter the IP address, group, and weight for the gateway into the Add list item dialog 
that appears. 

4. Click OK. 

5. Repeat steps 2 to 4 until IP addresses, groups, and weights have been defined for all of 
your gateways. 

6. Select Apply to commit the changes to the SG appliance. 

Related CLI Syntax to Configure Multiple Gateway Load Balancing 

SGOS# (conf ig) ip-default-gateway ip_address preference_group weight 



Routing 



By default, routing is done transparently if the SG appliance can verify (trust) the 
destination IP addresses provided by the client. If the destination IP addresses cannot be 
trusted, the SG appliance uses static routes. 
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Note: If your environment uses explicit proxy or Layer-4 redirection, or if the 

destination IP addresses cannot be verified by the SG appliance, static routes must be 
configured. 



Hardware or software bridges can be transparently routed if the destination IP address/ 
hostname can be verified. If the client-provided destination IP address is not in the list of 
resolved IP addresses for the particular host, then the SG appliance uses static routes 
instead. For hostname-less protocols such as CIFS and FTP, the IP address can always be 
trusted. For other protocols, such as HTTP, RTSP, and MMS, which have a hostname that 
must be resolved, verification can be an issue. URL rewrites that modify the hostname 
also can cause verification to fail. 

Transparent ADN connections that are handed off to an application proxy (HTTP or 
MAPI, for example) can utilize L2/L3 transparency. Also, transparent ADN connections 
that are tunneled but not handed off can utilize the functionality. 



Note: IM is not supported with trust client addressing. In order to login and chat, 

the default router must have Internet access. Other IM features require direct 
connections, so static routes are required. 



This feature is not user-configurable. 

Using Static Routes 

If you use an explicit proxy or layer-4 redirection deployment, or a Blue Coat feature such 
as forwarding where the destination IP cannot be verified by the SG appliance, you can 
use static routes. 

A static route is a manually-configured route that specifies the transmission path a packet 
must follow, based on the packet's destination address. A static route specifies a 
transmission path to another network, and a default static route already exists. 

Situations in which static routes are used include: 

□ DNS load balancing. Sites that use DNS load balancing and return a single IP address 
cause a mismatch between the IP address provided by the client and the IP address 
resolved by the SG appliance. 

□ Anywhere that appropriate client-side routing information is unavailable, such as for 
forwarding hosts, dynamic categorization, and ADN peers. 



Note: For bridged deployments, transparent routing, in most cases, overrides any 

static route lookups. 



The routing table is a text file containing a list of IP addresses, subnet masks, and 
gateways. You are limited to 10,000 entries in the static routes table. The following is a 
sample router table: 

10 . 25 . 36.0 255 . 255 . 255.0 10 . 25 . 36.1 

10 . 25 . 37.0 255 . 255 . 255.0 10 . 25 . 37.1 

10 . 25 . 38.0 255 . 255 . 255.0 10 . 25 . 38.1 

When a routing table is installed, all requested URLs are compared to the list and routed 
based on the best match. 
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You can install the routing table several ways. 

□ Using the Text Editor, which allows you to enter settings (or copy and paste the 
contents of an already-created file) directly onto the appliance. 

□ Creating a local file on your local system; the SG appliance can browse to the file and 
install it. 

□ Using a remote URL, where you place an already-created file on an FTP or HTTP 
server to be downloaded to the SG appliance. 

□ Using the CLI inline static -route -table command, which allows you to paste a 
static route table into the SG appliance. 

□ Using the CLI static- routes command, which requires that you place an already- 
created file on an FTP or HTTP server and enter the URL into the SG appliance. 



Note: If you upgrade to SGOS 5.x from SGOS 4.x, entries from the central and local 
bypass lists are converted to static route entries in the static route table. The converted 
static route entries are appended after the existing static route entries. Duplicate static 
route entries are silently ignored. 

All traffic leaving the SG appliance is affected by the static route entries created from the 
SGOS 4.x bypass lists. 



Installing a Routing Table 

To install a routing table: 

1. Select Configuration > Network > Routing > Routing. 

2. From the drop-down list, select the method used to install the routing table; click 

Install. 

• Remote URL: 

Enter the fully-qualified URL, including the filename, where the routing table is 
located. To view the file before installing it, click View. Click Install. To view the 
installation results, click Results; close the window when you are finished. Click 

OK. 

• Local File: 

Click Browse to bring up the Local File Browse window. Browse for the file on the 
local system. Open it and click Install. When the installation is complete, a results 
window opens. View the results and close the window. 

• Text Editor: 

The current configuration is displayed in installable list format. You can 
customize it or delete it and create your own. Click Install. When the installation is 
complete, a results window opens. View the results, close this window, and click 

Close. 

3. Select Apply to commit the changes to the SG appliance. 

Related CLI Syntax to Install a Routing Table 

To install a routing table, you can use the inline command to install the table directly, or 
enter a path to a remote URL that has an already-created text file ready to download. 
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□ To paste a static route table directly into the CLI: 

SGOS# (conf ig) inline static-route- table end-of-file_marker 
paste static routing table 
eof 
ok 

□ To enter the static route table manually: 

SGOS# (conf ig) inline static-route- table end-of -file_marker 

10 . 25 . 36.0 255 . 255 . 255. 0 10 . 25 . 46.57 

10 . 25 . 37.0 255 . 255 . 255. 0 10 . 25 . 46.58 

10 . 25 . 38.0 255 . 255 . 255. 0 10 . 25 . 46.59 

eof 

ok 

□ To enter a path to a remote URL: 

SGOS# (conf ig) static-routes path url 
SGOS# (conf ig) load static-route- table 

Notes 

□ Any deployment that causes traffic to traverse the link from the SG appliance to the 
home router twice is not supported. Some WCCP configurations might not work as 
expected. 

□ If you use URL host rewrite functionality in your policies, mismatches can occur 
between the client-provided IP address and the resolved, rewritten hostname. In these 
cases, static routing is used. 



65 



Volume 2: Getting Started 



66 



Chapter 9: DNS 



During first-time installation of the SG appliance, you configured the IP address of a 
single primary Domain Name Service (DNS) server. Using the Configuration > Network 
> DNS tab, you can change this primary DNS server at any time, and you can also 
define additional primary DNS servers and one or more alternate DNS servers. 

This chapter discusses: 

□ "SG Appliance Specifics" 

□ "Configuring Split DNS Support" on page 68 

□ "Changing the Order of DNS Servers" on page 69 

□ "Unresolved Hostnames (Name Imputing)" on page 70 

□ "Changing the Order of DNS Name Imputing Suffixes" on page 70 

□ "Caching Negative Responses" on page 70 

SG Appliance Specifics 

If you have defined more than one DNS server, the SGOS software uses the following 
logic to determine which servers are used to resolve a DNS host name and when to 
return an error to the client: 

□ SGOS first sends requests to DNS servers in the primary DNS server list. 

□ Servers are always contacted in the order in which they appear in a list. 

□ The next server in a list is only contacted if the SG appliance does not receive a 
response from the current server. 

□ If none of the servers in a list returns a response, the SG appliance returns an error 
to the client. 

□ The SG appliance only sends requests to servers in the alternate DNS server list if a 
server in the primary list indicates that a DNS host name cannot be resolved. 

If a DNS server returns any other error (other than an indication that a DNS host 
name could not be resolved), the SG appliance returns the error to the client. 

If a server in both the primary and alternate DNS server lists are unable to resolve a 
DNS host name, an error is returned to the client. 

The SG appliance always attempts to contact the first server in the primary DNS server. 
If a response is received from this server, no attempts are made to contact any other 
DNS servers in the primary list. 

If the response from the first primary DNS server indicates a name error, the SG 
appliance sends a DNS request to the first alternate DNS server, if one is defined. If no 
alternate DNS servers have been defined, an error is returned to the client indicating a 
name error. If the first alternate DNS server is unable to resolve the IP address, a name 
error is returned to the client, and no attempt is made to contact any other DNS servers 
in either the primary or alternate DNS server lists. 
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If a response is not received from any DNS server in a particular DNS server list, the SG 
appliance sends a DNS request to the next server in the list. The SG appliance returns a 
name error to the client if none of the servers in a DNS server list responds to the DNS 
request. 



Note: The alternate DNS server is not used as a failover DNS server. It is only used 
when DNS resolution of primary DNS server returns name error. If a timeout occurs 
when looking up the primary DNS server, no alternate DNS server is contacted. 



If the SG appliance receives a negative DNS response (a response with an error code set to 
Name Error), it caches that negative response. You can configure the SG appliance's 
negative response time-to-live value. (A value of zero disables negative caching.) If the SG 
appliance is not configured (the default), the SG appliance caches the negative response 
and uses the TTL value from the DNS response to determine how long it should be 
cached. 

Configuring Split DNS Support 

Customers with split DNS server configuration (for example, environments that maintain 
private internal DNS servers and external DNS servers) might choose to populate an 
Alternate DNS server list as well as the Primary DNS server list. In the SG appliance, the 
internal DNS servers are placed in the Primary list, while external DNS servers (with the 
Internet information) populate the Alternate list. 

Complete the following procedures to configure primary and alternate DNS servers. 

To add a primary DNS server: 

1. Select Configuration > Network > DNS > DNS. 



2. 

3. 

4. 




Click New. 

Enter the IP address of the DNS server in the dialog that appears and click OK. 
Select Apply to commit the changes to the SG appliance. 



Related CLI Syntax to Add a DNS Server 

To add a primary DNS server: 

SGOS# (conf ig) dns server ip_address 
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To Add an Alternate DNS Server 

1. Select Configuration > Network > DNS > DNS. 

The DNS tab displays. 

2. Select Alternate DNS in the drop-down list. 

3. Click New. 

4. Enter the IP address of the DNS server in the dialog that appears and click OK. 

5. Select Apply to commit the changes to the SG appliance. 

Related CLI Syntax to Adding an Alternate DNS Server 

To add an alternate DNS server: 

SGOS# (conf ig) dns alternate ip_address 
Repeat until alternate DNS servers have been defined. 

Changing the Order of DNS Servers 

The SG appliance uses DNS servers in the order displayed. You can organize the list of 
servers so that the preferred servers appear at the top of the list. This functionality is not 
available through the CLI. 

To change the order of DNS servers: 

1. Select Configuration > Network > DNS > Imputing. 

DNS Imputing 

- DNS name imputing suffixes: 




List order indicates preference Promote entry 

Demote entry 



2. Select the DNS server to promote or demote. 

3. Click Promote entry or Demote entry as appropriate. 

4. Select Apply to commit the changes to the SG appliance. 
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Unresolved Hostnames (Name Imputing) 

Name imputing allows the SG appliance to resolve host names based on a partial name 
specification. When the SG appliance submits a host name to the DNS server, the DNS 
server resolves the name to an IP address. The SG appliance queries the original hostname 
before checking imputing entries unless there is no period in the host name, in which case 
imputing is applied first. The SG appliance tries each entry in the name-imputing list until 
the name is resolved or it comes to the end of the list. If by the end of the list the name is 
not resolved, the SG appliance returns a DNS failure. 

For example, if the name-imputing list contains the entries company . com and com, and a 
user submits the URL http : //www . eedept, the SG appliance resolves the host names in 
the following order. 

http : / / www . eedept 

http : / / www . eedept . company . com 

http : / / www . eedept . com 

To add names to the imputing list: 

1. Select Configuration > Network > DNS > Imputing. 

The Imputing tab displays. 

2. Click New to add a new name to the imputing list. 

3. Enter the name in the dialog that appears and click OK. 

4. Select Apply to commit the changes to the SG appliance. 

Related CLI Syntax to Add Names to the Imputing List 
To add names to the imputing list: 

SGOS# (conf ig) dns imputing suffix 

For example, to use company.com as the imputing suffix, enter dns -imputing 
company . com. 

Repeat until all imputing suffixes have been entered. 

Changing the Order of DNS Name Imputing Suffixes 

The SG appliance uses imputing suffixes in the order displayed. You can organize the list 
of suffixes so the preferred suffix appears at the top of the list. This functionality is only 
available through the Management Console. You cannot configure it through the CLI. 

To change the order of DNS name imputing suffixes: 

1. Select Configuration > Network > DNS > Imputing. 

The Imputing tab displays. 

2. Select the imputing suffix to promote or demote. 

3. Click Promote entry or Demote entry as appropriate. 

4. Select Apply to commit the changes to the SG appliance. 

Caching Negative Responses 

By default, the SG appliance caches negative DNS responses sent by a DNS server. You 
can configure the SG appliance to set the time-to-live (TTL) value for a negative DNS 
response to be cached. You can also disable negative DNS response caching. 
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Note: The SG appliance generates more DNS requests when negative caching is 
disabled. 



The SG appliance supports caching of both type A and type PTR DNS negative responses. 

This functionality is only available through the CLI. You cannot configure DNS negative 
caching through the Management Console. 

To configure negative caching TTL values: 

From the (config) prompt: 

SGOS# (conf ig) dns negative-cache- ttl -override seconds 

where seconds is any integer between 0 and 600. 

Setting the TTL value to 0 seconds disables negative DNS caching; setting the TTL setting 
to a non-zero value overrides the TTL value from the DNS response. 

To restore negative caching defaults: 

From the (config) prompt): 

SGOS# (conf ig) dns no negative-cache- ttl-override 
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Term 


Description 


ADN Optimize Attribute 


Controls whether to optimize bandwidth usage when connecting upstream using an 
ADN tunnel. 


Asynchronous Adaptive 
Refresh (AAR) 


This allows the ProxySG to keep cached objects as fresh as possible, thus reducing 
response times. The AAR algorithm allows HTTP proxy to manage cached objects 
based on their rate of change and popularity: an object that changes frequently and/ 
or is requested frequently is more eligible for asynchronous refresh compared to an 
object with a lower rate of change and/ or popularity. 


Asynchronous Refresh 
Activity 


Refresh activity that does not wait for a request to occur, but that occurs 
asynchronously from the request. 


Attributes (Service) 


The service attributes define the parameters, such as explicit or transparent, 
cipher suite, and certificate verification, that the ProxySG uses for a 
particular service. . 


Authenticate-401 Attribute 


All transparent and explicit requests received on the port always use transparent 
authentication (cookie or IP, depending on the configuration). This is especially 
useful to force transparent proxy authentication in some proxy-chaining scenarios 


authentication 


The process of identifying a specific user. 


authorization 


The permissions given to a specific user. 


Bandwidth Gain 


A measure of the difference in client-side and server-side Internet traffic expressed in 
relation to server-side Internet traffic. It is managed in two ways: you can enable or 
disable bandwidth gain mode or you can select the Bandwidth Gain profile (this also 
enables bandwidth gain mode).. 


Bandwidth Class 


A defined unit of bandwidth allocation. An administrator uses bandwidth classes to 
allocate bandwidth to a particular type of traffic flowing through the ProxySG. 


Bandwidth Class Hierarchy 


Bandwidth classes can be grouped together in a class hierarchy, which is a tree 
structure that specifies the relationship among different classes. You create a 
hierarchy by creating at least one parent class and assigning other classes to be its 
children. 


Bandwidth Policy 


The set of rules that you define in the policy layer to identify and classify the traffic in 
the ProxySG, using the bandwidth classes that you create. You must use policy 
(through either VPM or CPL) in order to manage bandwidth. 


Bypass Lists 


The bypass list allows you to exempt IP addresses from being proxied by the 
ProxySG. The bypass list allows either <A11> or a specific IP prefix entry for 
both the client and server columns. Both UDP and TCP traffic is 
automatically exempted. 
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Term 


Description 


Byte-Range Support 


The ability of the ProxySG to respond to byte-range requests (requests with a 
Range : HTTP header). 


Cache-hit 


An object that is in the ProxySG and can be retrieved when an end user requests the 
information. 


Cache-miss 


An object that can be stored but has never been requested before; it was not in the 
ProxySG to start, so it must be brought in and stored there as a side effect of 
processing the end-user's request. If the object is cacheable, it is stored and served the 
next time it is requested. 


Child Class (Bandwidth 
Gain) 


The child of a parent class is dependent upon that parent class for available 
bandwidth (they share the bandwidth in proportion to their minimum/ maximum 
bandwidth values and priority levels). A child class with siblings (classes with the 
same parent class) shares bandwidth with those siblings in the same manner. 


Client consent certificates 


A certificate that indicates acceptance or denial of consent to decrypt an end user's 
HTTPS request. 


Compression 


An algorithm that reduces a file's size but does not lose any data. The ability to 
compress or decompress objects in the cache is based on policies you create. 
Compression can have a huge performance benefit, and it can be customized based 
on the needs of your environment: Whether CPU is more expensive (the default 
assumption), server-side bandwidth is more expensive, or whether client-side 
bandwidth is more expensive. 


Default Proxy Listener 


See " Proxy Service (Default)" . 


Detect Protocol Attribute 


Detects the protocol being used. Protocols that can be detected include: 

HTTP, P2P (eDonkey, BitTorrent, FastTrack, Gnutella), SSL, and Endpoint Mapper. 


Directives 


Directives are commands that can be used in installable lists to configure forwarding. 
See also forwarding Configuration. 


Display Filter 


The display filter is a drop-down list at the top of the Proxy Services pane that allows 
you to view the created proxy services by service name or action. 


Early Intercept Attribute 


Controls whether the proxy responds to client TCP connection requests before 
connecting to the upstream server. When early intercept is disabled, the proxy delays 
responding to the client until after it has attempted to contact the server. 


Emulated Certificates 


Certificates that are presented to the user by ProxySG when intercepting 
HTTPS requests. Blue Coat emulates the certificate from the server and signs 
it, copying the subjectName and expiration. The original certificate is used 
between the ProxySG and the server. 


ELFF-compatible format 


A log type defined by the W3C that is general enough to be used with any protocol. 


Encrypted Log 


A log is encrypted using an external certificate associated with a private key. 
Encrypted logs can only be decrypted by someone with access to the private key. The 
private key is not accessible to the ProxySG. 
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Term 


Description 


explicit proxy 


A configuration in which the browser is explicitly configured to communicate with 
the proxy server for access to content. 

This is the default for the Proxy SG, and requires configuration for both browser and 
the interface card. 


Fail Open/ Closed 


Failing open or closed applies to forwarding hosts and groups and SOCKS gateways. 
Fail Open/ Closed applies when the health checks are showing sick for each 
forwarding or SOCKS gateway target in the applicable fail-over sequence. If no 
systems are healthy, the Proxy SG fails open or closed, depending on the 
configuration. If closed, the connection attempt simply fails. 

If open, an attempt is made to connect without using any forwarding target (or 
SOCKS gateway). Fail open is usually a security risk; fail closed is the default if no 
setting is specified. 


Forwarding Configuration 


Forwarding can be configured through the CLI or through adding directives to a text 
file and installing it as an installable list. Each of these methods (the CLI or using 
directives) is equal. You cannot use the Management Console to configure 
forwarding. 


Forwarding Host 


Upstream Web servers or proxies. 


forward proxy 


A proxy server deployed close to the clients and used to access many servers. A 
forward proxy can be explicit or transparent. 


Freshness 


A percentage that reflects the objects in the ProxySG cache that are expected to be 
fresh; that is, the content of those objects is expected to be identical to that on the OCS 
(origin content server). 


Gateway 


A device that serves as entrance and exit into a communications network. 


Global Default Settings 


You can configure settings for all forwarding hosts and groups. These are called the 
global defaults. You can also configure private settings for each individual 
forwarding host or group. Individual settings override the global defaults. 


FTP 


See Native FTP; Web FTP. 


Host Affinity 


Host affinity is the attempt to direct multiple connections by a single user to the same 
group member. Host affinity is closely tied to load balancing behavior; both should 
configured if load balancing is important. 


Host Affinity Timeout 


The host affinity timeout determines how long a user remains idle before the 
connection is closed. The timeout value checks the user's IP address, SSL ID, or 
cookie in the host affinity table. 


Inbound Traffic (Bandwidth 
Gain) 


Network packets flowing into the ProxySG. Inbound traffic mainly consists of the 
following: 

• Server inbound: Packets originating at the origin content server (OCS) and sent to 
the ProxySG to load a Web object. 

• Client inbound: Packets originating at the client and sent to the ProxySG 
for Web requests. 
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Term 


Description 


Installable Lists 


Installable lists, comprised of directives, can be placed onto the Proxy SG in one of 
several methods: through creating the list through the Proxy SG text editor, by 
placing the list at an accessible URL, or by downloading the directives file from the 
local system. 


Integrated Host Timeout 


An integrated host is an Origin Content Server (OCS) that has been added to the 
health check list. The host, added through the integrate_new_hosts property, 
ages out of the integrated host table after being idle for the specified time. The default 
is 60 minutes. 


IP Reflection 


Determines how the client IP address is presented to the origin server for explicitly 
proxied requests. All proxy services contain a reflect-ip attribute, which enables or 
disables sending of client's IP address instead of the ProxySG's IP address. 


Issuer keyring 


The keyring that is used by the Proxy SG to sign emulated certificates. The keyring is 
configured on the Proxy SG and managed through policy. 


Listener 


The service that is listening on a specific port. A listener can be identified by any 
destination IP/ subnet and port range. Multiple listeners can be added to 
each service. 


Load Balancing 


The ability to share traffic requests among multiple upstream targets. Two methods 
can be used to balance the load among systems: least -connect ions or round- 
robin . 


Log Facility 


A separate log that contains a single logical file and supports a single log format. It 
also contains the file's configuration and upload schedule information as well as 
other configurable information such as how often to rotate (switch to a new log) the 
logs at the destination, any passwords needed, and the point at which the facility can 
be uploaded. 


Log Format 


The type of log that is used: NCSA/ Common, SQUID, ELFF, SurfControl, or 
Websense. 

The proprietary log types each have a corresponding pre-defined log format that has 
been set up to produce exactly that type of log (these logs cannot be edited). In 
addition, a number of other ELFF type log formats are also pre-defined (im, main, 
p2p, ssl, streaming). These can be edited, but they start out with a useful set of log 
fields for logging particular protocols understood by the Proxy SG. It is also possible 
to create new log formats of type ELFF or Custom which can contain any desired 
combination of log fields. 


Log Tail: 


The access log tail shows the log entries as they get logged. With high traffic on the 
ProxySG, not all access log entries are necessarily displayed. However, you can view 
all access log information after uploading the log. 


Maximum Object Size 


The maximum object size stored in the ProxySG. All objects retrieved that are greater 
than the maximum size are delivered to the client but are not stored in the ProxySG. 


NCSA common log format 


A log type that contains only basic HTTP access information. 
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Term 


Description 


Negative Responses 


An error response received from the OCS when a page or image is requested. If the 
ProxySG is configured to cache such negative responses, it returns that response in 
subsequent requests for that page or image for the specified number of minutes. If it 
is not configured, which is the default, the ProxySG attempts to retrieve the page or 
image every time it is requested. 


Native FTP 


Native FTP involves the client connecting (either explicitly or transparently) using 
the FTP protocol; the ProxySG then connects upstream through FTP (if necessary). 


Outbound Traffic 
(Bandwidth Gain) 


Network packets flowing out of the ProxySG. Outbound traffic mainly consists of 
the following: 

• Client outbound: Packets sent to the client in response to a Web request. 

• Server outbound: Packets sent to an OCS or upstream proxy to request a service. 


Origin Content Server (OCS) 




Parent Class (Bandwidth 
Gain) 


A class with at least one child. The parent class must share its bandwidth with its 
child classes in proportion to the minimum /maximum bandwidth values or priority 
levels. 


PASV 


Passive Mode Data Connections. Data connections initiated by an FTP client to 
an FTP server. 


proxy 


Caches content, filters traffic, monitors Internet and intranet resource usage, blocks 
specific Internet and intranet resources for individuals or groups, and enhances the 
quality of Internet or intranet user experiences. 

A proxy can also serve as an intermediary between a Web client and a Web server 
and can require authentication to allow identity based policy and logging for the 
client. 

The rules used to authenticate a client are based on the policies you create on the 
ProxySG, which can reference an existing security infrastructure — LDAP, RADIUS, 
IWA, and the like. 


Proxy Service 


The proxy service defines the ports, as well as other attributes, that are used by the 
proxies associated with the service. 


Proxy Service (Default) 


The default proxy service is a service that intercepts all traffic not otherwise 
intercepted by other listeners. It only has one listener whose action can be set to 
bypass or intercept. No new listeners can be added to the default proxy service, and 
the default listener and service cannot be deleted. Service attributes can be changed. 


realms 


A realm is a named collection of information about users and groups. The name is 
referenced in policy to control authentication and authorization of users for access to 
Blue Coat Systems ProxySG services. Multiple authentication realms can be used on 
a single ProxySG. Realm services include IWA, LDAP, Local, and RADIUS. 


Reflect Client IP Attribute 


Enables the sending of the client's IP address instead of the ProxySG's IP address to 
the upstream server. If you are using an Application Delivery Network (ADN), this 
setting is enforced on the concentrator proxy through the Configuration>App. 
Delivery Network>Tunneling tab. 
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Term 


Description 


Refresh Bandwidth 


The amount of bandwidth used to keep stored objects fresh. By default, the ProxySG 
is set to manage refresh bandwidth automatically. You can configure refresh 
bandwidth yourself, although Blue Coat does not recommend this. 


reverse proxy 


A proxy that acts as a front-end to a small number of pre-defined servers, typically to 
improve performance. Many clients can use it to access the small number of 
predefined servers. 


rotate logs 


When you rotate a log, the old log is no longer appended to the existing log, and a 
new log is created. All the facility information (headers for passwords, access log 
type, and so forth), is re-sent at the beginning of the new upload. 

If you're using Reporter (or anything that doesn't understand the concept of "file," 
such as streaming) the upload connection is broken and then re-started, and, again, 
the headers are re-sent. 


serial console 


A device that allows you to connect to the ProxySG when it is otherwise 
unreachable, without using the network. It can be used to administer the ProxySG 
through the CLI. You must use the CLI to use a serial console. 

Anyone with access to the serial console can change the administrative access 
controls, so physical security of the serial console is critical. 


Server Certificate Categories 


The hostname in a server certificate can be categorized by BCWF or another content 
filtering vendor to fit into categories such as banking, finance, sports. 


Sibling Class (Bandwidth 
Gain) 


A bandwidth class with the same parent class as another class. 


SOCKS Proxy 


A generic way to proxy TCP and UDP protocols. The ProxySG supports both 
SOCKSv4/4a and SOCKSv5; however, because of increased username and password 
authentication capabilities and compression support. Blue Coat recommends that 
you use SOCKS v5.. 


SmartReporter log type 


A proprietary ELFF log type that is compatible with the SmartFilter SmartReporter 
tool. 


Split proxy 


Employs co-operative processing at the branch and the core to implement 
functionality that is not possible in a standalone proxy. Examples of split 
proxies include : 

Mapi Proxy 
SSL Proxy 


SQUID-compatible format 


A log type that was designed for cache statistics. 


SSL 


A standard protocol for secure communication over the network. Blue Coat 
recommends using this protocol to protect sensitive information. 


SSL Interception 


Decrypting SSL connections. 


SSL Proxy 


A proxy that can be used for any SSL traffic (HTTPS or not), in either forward or 
reverse proxy mode. 
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Term 


Description 


static routes 


A manually-configured route that specifies the transmission path a packet must 
follow, based on the packet's destination address. A static route specifies a 
transmission path to another network. 


SurfControl log type 


A proprietary log type that is compatible with the SurfControl reporter tool. The 
SurfControl log format includes fully-qualified usernames when an NTLM realm 
provides authentication. The simple name is used for all other realm types. 


Traffic Flow (Bandwidth 
Gain) 


Also referred to as flow. A set of packets belonging to the same TCP/UDP connection 
that terminate at, originate at, or flow through the ProxySG. A single request from a 
client involves two separate connections. One of them is from the client to the 
ProxySG, and the other is from the ProxySG to the OCS. Within each of these 
connections, traffic flows in two directions — in one direction, packets flow out of the 
ProxySG (outbound traffic), and in the other direction, packets flow into the 
ProxySG (inbound traffic). Connections can come from the client or the server. Thus, 
traffic can be classified into one of four types: 

• Server inbound 

• Server outbound 

• Client inbound 

• Client outbound 

These four traffic flows represent each of the four combinations described above. 
Each flow represents a single direction from a single connection. 


transparent proxy 


A configuration in which traffic is redirected to the ProxySG without the knowledge 
of the client browser. No configuration is required on the browser, but network 
configuration, such as an L4 switch or a WCCP-compliant router, is required. 


Variants 


Objects that are stored in the cache in various forms: the original form, fetched from 
the OCS; the transformed (compressed or uncompressed) form (if compression is 
used). If a required compression variant is not available, then one might be created 
upon a cache-hit. (Note: policy-based content transformations are not stored in the 
ProxySG.) 


Web FTP 


Web FTP is used when a client connects in explicit mode using HTTP and 
accesses an ftp:/ / URL. The ProxySG translates the HTTP request into an 
FTP request for the OCS (if the content is not already cached), and then 
translates the FTP response with the file contents into an HTTP response for 
the client. 


Websense log type 


A proprietary log type that is compatible with the Websense reporter tool. 


Wildcard Services 


When multiple non-wildcard services are created on a port, all of them must be of the 
same service type (a wildcard service is one that is listening for that port on all IP 
addresses). If you have multiple IP addresses and you specify IP addresses for a port 
service, you cannot specify a different protocol if you define the same port on another 
IP address. For example, if you define HTTP port 80 on one IP address, you can only 
use the HTTP protocol on port 80 for other IP addresses. 

Also note that wildcard services and non-wildcard services cannot both exist at the 
same time on a given port. 

For all service types except HTTPS, a specific listener cannot be posted on a port if 
the same port has a wildcard listener of any service type already present. 
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